CDs are manufactured with a “stacking ring” near the center of the disc, which serves to keep the bottom of one disc away from the top of the disc below it when stacked on a spindle.The lacquer on the top of a disc can become sticky even under ordinary environmental conditions, and is exacer-bated in humidity. Without the alignment provided by a spindle, if two discs are placed on top of each other, the lacquer may stick to the bottom of the disc placed on top of the other disc; separating the discs can also remove the reflector from the bottom disc, which can lead to a loss of evidence.
Fastening discs together with rubber bands or tape can also destroy them.
Rubber bands bend the edges of discs, thus deforming them.Tape can adhere to the top surface of a disc and, when removed, also remove the reflector from the disc. Some types of plastic wrap can also adhere to the lacquer and remove the reflector. For these reasons, it is not recommended to wrap discs in plastic or tape, and they should not be secured by rubber bands.
Ideally, discs should be stacked on spindles similar to those used by manu-factureres.This is the best way to package discs, but may not always be practical.
If the discs cannot be stacked on a spindle, they should be arranged in a stack in a paper bag and the bag taped to hold the discs in place. Properly stacking discs and taking advantage of the stacked ring will also preserve fingerprint evidence.
N
OTEIf you are given a bagful of discs or discs taped together, it is not neces-sarily a complete loss. Use extreme care in separating the discs. Do not try to remove tape applied to the top surface of a disc—instead, trim it.
Discs that are warped can be “flattened out” with a combination of weight and time.
Marking Discs
As mentioned previously, discs are not impervious objects; both polycarbonate and the lacquer coating can absorb humidity and other chemicals. It is recom-mended that you use water-based markers for writing on discs because of the following:
■ Ballpoint and rollerball pens will damage the data area of a disc.
www.syngress.com
Collecting CD and DVD Evidence • Chapter 4 59
■ Sharpie brand markers are not rated as safe by their manufacturer because they are alcohol-based.The manufacturer says that problems have not been reported, but for evidence discs they should not be trusted, especially for writing in the data area of a disc.They may be safe for use in the clamping ring area of a disc.
■ Markers that are solvent-based will dissolve the lacquer coating and destroy the reflector beneath it. Such markers can also damage the polycarbonate. While it is generally safe to use solvent-based markers in the clamping ring area of a disc, it is not recommended.
■ Other markers that are not clearly identified as solvent-based or water-based can pose a substantial risk to the data area of a disc. If there is a solvent odor when the cap is removed, the marker should not be used on evidence discs.
■ Labels can be applied to discs; however, if the adhesive is not the right type for CD use, a label can peel off of the disc, which will interfere with the disc when it is being used. Removing such a label would likely peel the reflector from the disc, thus destroying it.The adhesive may also interact with the lacquer and possibly destroy the reflector.
It is generally safe to write anywhere on the top surface of a disc with water-based markers (sold as water-based markers and as specially labeled
“CD Markers”). Avoid writing in any area that already contains markings.
Writing using a water-based marker in the clamping ring area of the disc is always safe. Using labels that are placed in the clamping ring area is also safe, and will not affect the balance of the disc.These labels are commonly avail-able and can be laser printed.
Transporting Discs
As mentioned previously, discs are sensitive to excessive heat (over 49C/120F) and ultraviolet (UV) light. Care must be taken to keep discs out of the sun and out of a potentially hot car interior. Additionally, prevent discs from receiving excessive vibration, as it can erode the surface of a disc if it comes into contact with other objects.
60 Chapter 4 • Collecting CD and DVD Evidence
Documenting and Fingerprinting Discs
At some point, it may be necessary to collect evidence (e.g., fingerprints and surface markings) from a disc.This should be done before attempting to access the data on the disc because it may be necessary to clean the disc before it can be read properly. Photographing the surface of a disc to document surface markings is recommended, because this cleaning can compromise the surface markings.
The environment inside a CD or DVD drive is not conducive to success-fully processing fingerprints after the disc has spent considerable time being rotated at high speed in the hot interior of the drive.This means that finger-prints must be processed in such a manner as to not destroy the readability of the disc. Developing fingerprints with powder and photographing the results is compatible with this objective. It is possible to remove residual powder from a disc completely, even if this requires washing the disc in plain water.
We do not recommend using any cyanoacrylate (superglue) processes, which would likely leave artifacts on a disc and affect readability. Shielding the bottom of the disc can eliminate these artifacts, but excludes processing the bottom of the disc. Any use of tape-based fingerprinting processes will destroy discs. If portions of the reflector have been removed by lift tape, it is not possible to recover the information that was written on that area of the disc and may prevent the disc from being read.
How to document a disc depends on the specific procedures for your lab-oratory. It is not recommended that you place rectangular labels on individual discs, because they can cause serious out-of-balance conditions in modern high-speed drives. If labeling individual discs is required, we recommend using “hub labels,” which are small circles that go in the center of the disc covering the clamping ring. Hub labels are specifically designed for use on CDs and DVDs, and are compatible with the high-speed drive environment.
Most other label adhesives are not compatible with this environment, and can result in the label peeling off inside the drive.
Another step is to take a digital photograph of the label side of a disc;
markings that are placed by the person writing the disc or the user of the disc can be useful as evidence. Some automated systems for processing discs take a photograph of each disc as it is being processed. Documenting the label of every disc can be a significant task when processing large numbers of discs,
www.syngress.com
Collecting CD and DVD Evidence • Chapter 4 61
but this can be valuable especially if the markings are damaged or removed during cleaning.
After fingerprint processing and the proper documentation of any evi-dence on the disc, light cleaning can be done to remove residual materials and/or contaminants (e.g., powder from fingerprint processing and substances such as cocaine) from the surface of the disc.This should be done without using any cleaning solvents.
Officer Safety
CDs and DVDs are often found in areas where there are biological, chemical, and drug hazards. Polycarbonate and lacquer both absorb water and other substances, which means it is not safe to handle discs that have been exposed to hazardous substances.
It is important to note that such contamination is unlikely to affect the readability or usability of a disc. Powders and liquids can contaminate discs in ways that make it hazardous for an officer to collect that disc. However, when the source of contamination is carefully removed in the laboratory, the result is a perfectly readable disc. Be aware that when put into a drive, any contami-nated disc will be spun off the disc and flung into the air.
It is not recommended that discs be cleaned in the field. While special handling considerations may apply to contaminated discs, evidence can be destroyed by improperly cleaning a disc; fingerprints and other trace evidence can also be lost.
When polycarbonate fractures, sharp fragments can be produced. Broken discs can be a significant hazard, because of sharp edges and because of tiny sharp fragments no larger than a grain of sand. Handling cracked or broken discs can result in a serious hazard if you cut yourself on broken discs and the risk is magnified by other contaminants in the collection environment.
62 Chapter 4 • Collecting CD and DVD Evidence
Preparing for
Disc Examination
Chapter 5
63
In order to conduct an examination of the digital evidence on Compact Disc (CD) or Digital Versatile Disc (DVD) media, you must have the proper hard-ware, softhard-ware, and workstation.
Forensic Hardware
It is recommended that you have two separate devices: a reliable Compact Disc - ReWritable (CD-RW) drive and a recent DVD writer that can read both DVD+ and DVD– media. Recent writers should also be compatible with Digital Versatile Disc Plus Recordable (DVD+R) DL (dual layer) media.
While it may seem counterintuitive, you must use a writer-type device, because reader devices do not access open sessions on discs.This means that any incomplete drag-and-drop discs would not be accessible with a reader.
Worse still, a multi-session disc that has been closed at least once and written to again with drag-and-drop writing software, will only show the finalized content; anything added after that would be invisible.
It is not necessary to use a write-blocker device with a CD or DVD writer, because writing software that functions without prompting is not pre-sent in Microsoft Windows. Before it will write to a disc, the CD writing capability present in Windows XP requires considerable effort on the part of the user.This writing capability also does not utilize rewritable media, such as CD-RW discs, making it difficult to write to a CD or DVD without signifi-cant user interaction.
If necessary, you can disable the Windows XP CD writing capability by opening the “My Computer” window and right-clicking the drive to be changed. Choose the properties and the select the Recording tab and uncheck the “Enable CD recording on this drive” option. ( Microsoft has indicated that they will be incorporating the ability to use rewritable CD and DVD media into the Windows Vista program. If this happens, it may not be as easy to disable writing.) Hardware and software write-blocking tools are available to prevent modification to evidence discs. (For more information contact InfinaDyne.)
We have found that the Plextor 12x writers are the most capable for reading problematic CD-R and CD-RW discs.These drives are no longer available from Plextor, but can still be obtained on eBay. Our recommenda-tions for reading DVD media are Plextor and Pioneer.